Kaiser

File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit).

NOTE: This project was NOT designed to evade AV detection.

Related paper: https://github.com/NtRaiseHardError/NtRaiseHardError.github.io/blob/master/_posts/2018-12-06-Anti-forensic-Malware-and-File-less-Malware.md

This project is discontinued.

How to Build/Use:

1. Compile Kaiser.dll in Release mode
2. Upload Kaiser.dll such that it can be directly downloaded as a raw binary
3. Update the BuildKaiser.ps1 script to include the URL for Kaiser.dll
4. Run BuildKaiser.ps1 to build the Payload.ps1 script
5. Upload the Payload.ps1 script such that it can be directly downloaded as raw text
6. Update the BuildKaiser.ps1 script to include the URL of Payload.ps1
7. Run BuildKaiser.ps1 to build the Installer.ps1 script
8. Run the Installer.ps1 script with administrative privileges on the target machine

Known bugs:

• Threaded XxxNetSend sends will buffer (reason unknown)
• PurgeXxx functions are not guaranteed to work (perhaps this is because it uses ShellExecuteEx
• More?

TODO

• CommandPrintStatus to print the status of Kaiser?
• Convert functions in firewall.c to WinAPI
• [OPTIONAL] Make C2 connection loop until established
• Convert Functions in registry.c to WinAPI
• Send debugging warnings/errors back to C2
• Make PurgeProcessMonitor asynchronous (IWbemServices::ExecNotificationQueryAsync)